Sunday, April 29, 2018

One of the ways malware authors want to hide the intend of the malware he/she is writing is by keeping the Import Address Table small or filled with useless functions. To do so an IAT would be created during the execution of the malware. There would be many indirection function calls similar to the one below. (The boxes filled with Yellow are CALL instructions.)

Without executing the malware, its hard to determine which function would be called by these indirect function calls.

After executing the malware using the IDA debugger, we can see the in-direct function calls are pointing to addresses in a list of function pointers. The address of the function pointer is stored in the ESI register. E.g. Call [esi+3c]

To speed up our analysis we could now find a means to help us label the addresses of the in-direct function calls with the function names that it is referencing.
To do so we could use the following python script:

After running the script, we could see the address of the function pointers being renamed.

We will need to create a struct from the function pointers.

Finally, we could right click and label the in-direct function calls with the function that it is going to call.

I know I have left out a few steps like how to use IDAPro debugger, create a struct and details of the functions used in the script. Just leave me a comment or question if you need more details. :)

Thanks to @nullandnull's tweet reply, I have updated my script to support the following: